作者:MeshCloud脈時雲公有雲架構師 陳滿
一、關于Google Cloud 證書管理器(Certificate Manger)
用來簽發和管理 SSL 證書,并配合 HTTPS 負載均衡器來實作傳輸層安全
對比于現有負載均衡器授權的使用方式,使用證書管理器有以下優勢:
- 支援 Google 管理簽發的證書自動頒發和續訂
- 支援泛域名證書簽發
- 支援基于 DNS 的域名驗證認證
- 基于主機名 hostname 控制證書的配置設定和選擇。
- 解除了單一負載均衡器15個證書的限制,Certificate Manager 支援每個負載均衡器多達一百萬個證書。
二、Certificate Manager 實作方式:
Certificate Manager 使用靈活的映射機制,使您可以精細控制可以配置設定哪些證書以及如何為環境中的每個主機名提供這些證書使用。主要包含Certificate Map【證書映射】、證書、證書映射實體、域名所有權認證。
- DNS 授權:每個 DNS 授權存儲有關設定的 DNS 記錄的資訊,其中包含單個域及其通配符,例如 mesh.com和 *.mesh.com。
- 證書[Certificates]: 指定hostname 或域通配符頒發的單個 X.509 傳輸層安全性 (TLS) (SSL) 證書。
- 證書映射:引用一個或多個将指定證書配置設定給特定主機名的證書映射條目,可以一個證書映射關聯到不同的負載均衡上使用。
- 證書實體:指定主機名提供的證書清單。
三、場景介紹
1、通常通過load Balancer 授權方式建立證書,往往需要很長時間,這樣造成在更新域名或子域名證書時需要較長的停機時間且不支援簽發泛域名證書,給實際使用帶來了很大的不便利性;使用 Certificate Manager 可以提前建立好證書,然後挂載到相應的 Target HTTPS Proxy 上,大大縮短了停機時間且支援泛域名證書簽發。
2、當你的業務需要許多後端服務,同時這些服務需要使用不同的域名來釋出時,可以通過使用 Certificate Manager 來動态自動更新證書。
四、使用案例展示
在本實驗中,我們将Cloud Storage 作為後端服務,并通過 HTTPS 負載均衡器對外釋出。在 URL Map 中,通過證書管理器 Certificate Manager建立SSL 證書,并綁定到 Target HTTPS Proxy 上,最終通過統一的一個 IP 位址對外釋出。
1、建立和配置Cert Manager
1.1 **建立 Certificate Manager DNS Authorizationss**
$ **gcloud beta certificate-manager dns-authorizations create dns-auth-mesh --domain=mesh.com.cn**
Create request issued for: [dns-auth-mesh]
Waiting for operation [projects/yunion-test-286209/locations/global/operations/operation-1661222053860-5e6df6669d41b-91dc6bf0-cf25df1d] to complete
...done.
Created dnsAuthorization [dns-auth-mesh].
1.2 **檢視DNS Authentication Value,通常是CNAME 值:**
$ **gcloud certificate-manager dns-authorizations list**
NAME: ccm-dns-auth-home
DOMAIN: home.mesh.com.cn
DNS_RECORD: _acme-challenge.home.mesh.com.cn.
RECORD_TYPE: CNAME
DNS_VALUE: a91c93b3-8ac4-4xxxxxdf0804.12.authorize.certificatemanager.goog.
$ **gcloud certificate-manager dns-authorizations describe** dns-auth-mesh
createTime: '2022-08-23T02:34:14.047844357Z'
dnsResourceRecord:
data: 211e25e7-e689-4087-bdde-50afb58f9c85.16.authorize.certificatemanager.goog.
name: _acme-challenge.mesh.com.cn.
type: CNAME
domain: mesh.com.cn
name: projects/yunion-test-286209/locations/global/dnsAuthorizations/dns-auth-mesh
updateTime: '2022-08-23T02:34:14.660549270Z' 1.3 在DNS 控制台添加CNAME 記錄值,驗證域名所有: 具體取決DNS 托管服務,配置方式,以DNSPod 為例:
1.4 **配置cert manager 簽發證書**
$ gcloud certificate-manager certificates create home-cert --domains=*.mesh.com.cn --dns-authorizations=dns-auth-mesh
Create request issued for: [home-cert]
Waiting for operation [projects/yunion-test-286209/locations/global/operations/operation-1661223164418-5e6dfa89b999a-9aeac7be-62e567ba] to complete
...done.
Created certificate [home-cert].
**1.5 檢視cert manager 簽發證書狀态:**
$ gcloud beta certificate-manager certificates describe ccm-cert-home-0
createTime: '2022-08-22T14:55:57.056426568Z'
expireTime: '2022-11-20T14:05:15Z'
managed:
authorizationAttemptInfo:
- domain: home.mesh.com.cn
state: AUTHORIZED
............
pemCertificate: |
-----BEGIN CERTIFICATE-----
MIIFZTCCBE2gAwIBAgIRAIkQmo3l/+KUEMvo3PgeqZ4wDQYJKoZIhvcNAQELBQAw
..........
ivm63XTzP91kHHIa2Si+cMV6PHsv9UMUTi2EDaYGYc7FGGQS8ohhjJVx4B0BnL95
XVNPlqPq9ZzreWqVxcOYE6/BDZ6/Qh8qwlYz2S7ZFo4qMSGwgW8ty2w3cHaK1MVZ
H8IbNKhGJZEuLyk7T0s4YYTk5onCObkwkRsfoUT/juZY/cJqavN3qW4+hgG5rakZ
BDkanOwYczkqi1LAg6hPVR5We58sAotvaqsSGU2V4dtN0wuRAbSFXvA=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFjDCCA3SgAwIBAgINAgCOsgIzNmWLZM3bmzANBgkqhkiG9w0BAQsFADBHMQsw
..........
JDwRjW/656r0KVB02xHRKvm2ZKI03TglLIpmVCK3kBKkKNpBNkFt8rhafcCKOb9J
x/9tpNFlQTl7B39rJlJWkR17QnZqVptFePFORoZmFzM=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIQd70NbNs2+RrqIQ/E8FjTDTANBgkqhkiG9w0BAQsFADBX
.......
+qduBmpvvYuR7hZL6Dupszfnw0Skfths18dG9ZKb59UhvmaSGZRVbNQpsg3BZlvi
d0lIKO2d1xozclOzgjXPYovJJIultzkMu34qQb9Sz/yilrbCgj8=
-----END CERTIFICATE-----
sanDnsnames:
- home.mesh.com.cn
updateTime: '2022-08-22T14:55:57.360080809Z'
-----
**PROVISIONING 狀态,說明dns-auth 已經驗證過,現在需要等待簽發證書,
注:[一般證書簽發需要在幾分鐘到半個小時左右]**
$ **gcloud certificate-manager certificates describe home-cert
[大概10min 完成了證書簽發]**
createTime: '2022-08-23T02:52:44.553453560Z'
managed:
authorizationAttemptInfo:
- domain: '*.mesh.com.cn'
state: AUTHORIZING
dnsAuthorizations:
- projects/587936279668/locations/global/dnsAuthorizations/dns-auth-mesh
domains:
- '*.mesh.com.cn'
state: PROVISIONING
name: projects/yunion-test-286209/locations/global/certificates/home-cert
sanDnsnames:
- '*.mesh.com.cn'
updateTime: '2022-08-23T02:52:44.894467832Z' 檢視已經簽發的Certification,有EXPIRE_TIME 說明證書也已經簽發完成了:
$ **gcloud certificate-manager certificates list**
NAME: ccm-cert-all
SUBJECT_ALTERNATIVE_NAMES: *.home.mesh.com.cn
DESCRIPTION:
SCOPE:
EXPIRE_TIME: 2022-11-21 00:17:53 +00:00
CREATE_TIME: 2022-08-23 01:08:35 +00:00
UPDATE_TIME: 2022-08-23 01:08:35 +00:00 建立用于關聯負載均衡器的證書映射Maps:
# 通過DNS AUTH 方式建立證書
$ gcloud certificate-manager certificates create cm-mesh-com-cn-crt0 \
--domains=cm.mesh.com.cn --dns-authorizations=cm-mesh-com-cn-dnsauth
Create request issued for: [cm-mesh-com-cn-crt0]
Waiting for operation [projects/yunion-test-286209/locations/global/operations/operation-1675678072902-5f405344b142b-73fff750-d09957d3] to complete...done.
Created certificate [cm-mesh-com-cn-crt0].
## 檢視證書:
$ gcloud certificate-manager certificates describe cm-mesh-com-cn-crt0
createTime: '2023-02-06T10:07:53.040703874Z'
expireTime: '2023-05-07T10:07:54Z'
managed:
authorizationAttemptInfo:
- domain: cm.mesh.com.cn
**state: AUTHORIZED**
dnsAuthorizations:
- projects/587936279668/locations/global/dnsAuthorizations/cm-mesh-com-cn-dnsauth
domains:
**- cm.mesh.com.cn
state: ACTIVE**
name: projects/yunion-test-286209/locations/global/certificates/cm-mesh-com-cn-crt0
pemCertificate: |
### 建立證書映射 Map
gcloud certificate-manager maps create CERTIFICATE_MAP_NAME
## 将證書與Entry 關聯添加到Maps 中:
$ gcloud certificate-manager maps entries create cm-mesh-com-cn-entry0
--map="cm-mesh-com-cn-maps" --certificates="cm-mesh-com-cn-crt0"
--hostname="cm.mesh.com.cn"
## 檢視Entry 狀态:
$ gcloud certificate-manager maps entries create cm-mesh-com-cn-entry0 \
--map="cm-mesh-com-cn-maps" --certificates="cm-mesh-com-cn-crt0" \
--hostname="cm.mesh.com.cn" 将簽發的maps 部署到LB上:
## gcloud compute target-https-proxies update gcs-lb-target-proxy-2
--certificate-map="cm-mesh-com-cn-maps" 通路驗證SSL 證書簽發有效性:
Cert Manager 建立的證書:
1、不能在console 中直接檢視,隻能通過gcloud
2、不能直接在console 中,綁定LB 使用
3、*.domain.com 不包含domain.com 證書 會傳回SSL Error
4、在Map 中直接添加Cert Entry 就可以,不需要更新target Proxy
參考:
1、[https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth#verify_that_the_certificate_is_active](https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth#create_a_certificate_map_entry)
2、https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth